SQL Injection in OpenEMR Application by OpenEMR
CVE-2019-14529

9.8CRITICAL

Key Information:

Vendor: Open-emr
Status: Openemr
Vendor: CVE Published:; 2 August 2019

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2019-14529?

OpenEMR prior to version 5.0.2 is vulnerable to SQL Injection attacks due to improper handling of user input in the eye_mag/save.php file. Attackers can exploit this vulnerability to execute arbitrary SQL commands, potentially allowing unauthorized access to sensitive data within the database. It is crucial for users of affected OpenEMR versions to apply the necessary updates or patches to safeguard their systems against this threat.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-14529
Created by Wezery

References

https://github.com/openemr/openemr/pull/2592

x_refsource_MISC

https://github.com/Wezery/CVE-2019-14529

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Aug 13, 2019
👾
Exploit known to exist
Aug 13, 2019
Vulnerability published
Aug 2, 2019
Vulnerability Reserved
Aug 2, 2019

CVE-2019-14529 Data

JSON

Open-emr

Badges

What is CVE-2019-14529?

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline